File name:

NoEscape8.0.exe

Full analysis: https://app.any.run/tasks/a4fdaf07-77ff-489c-a718-2777885190cd
Verdict: Malicious activity
Analysis date: March 24, 2025, 16:40:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

1C18F75DAFD667FB5559CF9B7CB5868E

SHA1:

DEAB3392CF25EBC52F15ECDCF7E4187DCAEC81F7

SHA256:

BF3C03FF11E6610BBF806084EC2D58CD5AACB87E52CBF965A789FA74584DE3A5

SSDEEP:

98304:PAY5A+8eV0TIhVoCOAbAz533nG34GWAMpSUZQAxxMLLM0FQjgdz8ONG6H7sO6SHY:ZM8xHZM1jM+9ZfmZ7fVj2VyzMc5u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • NoEscape8.0.exe (PID: 7488)

    • Changes the autorun value in the registry

      • boot.exe (PID: 8120)

    • Uses Task Scheduler to run other applications

      • boot.exe (PID: 8120)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • NoEscape8.0.exe (PID: 7488)

    • Executable content was dropped or overwritten

      • NoEscape8.0.exe (PID: 7488)
      • boot.exe (PID: 8120)

    • Reads security settings of Internet Explorer

      • NoEscape8.0.exe (PID: 7488)

    • Executing commands from a ".bat" file

      • NoEscape8.0.exe (PID: 7488)
      • wscript.exe (PID: 7996)

    • Starts CMD.EXE for commands execution

      • NoEscape8.0.exe (PID: 7488)
      • wscript.exe (PID: 7996)

    • The process executes VB scripts

      • cmd.exe (PID: 7604)
      • cmd.exe (PID: 8060)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8060)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 8060)

    • Start notepad (likely ransomware note)

      • 10.exe (PID: 5376)

  • INFO

    • The sample compiled with english language support

      • NoEscape8.0.exe (PID: 7488)

    • Reads the computer name

      • NoEscape8.0.exe (PID: 7488)

    • Checks supported languages

      • NoEscape8.0.exe (PID: 7488)
      • melter.exe (PID: 516)
      • tunnel.exe (PID: 7052)
      • 10.exe (PID: 5376)

    • Autorun file from Task Scheduler

      • boot.exe (PID: 8120)

    • Process checks computer location settings

      • 10.exe (PID: 5376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:11 09:16:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201728
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0x1eef0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
22
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #GENERIC noescape8.0.exe cmd.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs boot.exe schtasks.exe no specs conhost.exe no specs wscript.exe no specs reg.exe no specs timeout.exe no specs inv.exe no specs tunnel.exe no specs conhost.exe no specs melter.exe no specs conhost.exe no specs 10.exe no specs magix.exe no specs timeout.exe no specs notepad.exe no specs noescape8.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516melter.exe C:\yourpc\melter.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\yourpc\melter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetunnel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348timeout 10C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2320INV.exe C:\yourpc\INV.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\yourpc\inv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2568REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
4892Magix.exe C:\yourpc\Magix.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\yourpc\magix.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
537610.exe C:\yourpc\10.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\yourpc\10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
c:\windows\syswow64\msvcrt.dll
5508"C:\WINDOWS\System32\WScript.exe" "C:\yourpc\es.vbs" C:\Windows\SysWOW64\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6540\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeINV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7052tunnel.exe C:\yourpc\tunnel.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\yourpc\tunnel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
Total events
2 615
Read events
2 608
Write events
5
Delete events
2

Modification events

(PID) Process:(7604) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(8120) boot.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:wininit
Value:
(PID) Process:(8120) boot.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wininit
Value:
C:\yourpc\boot.exe
(PID) Process:(8120) boot.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:wininit
Value:
C:\yourpc\boot.exe
(PID) Process:(8060) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(2568) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(5376) 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
Executable files
31
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
7488NoEscape8.0.exeC:\yourpc\First2.exeexecutable
MD5:EAD502D394DE29812FD9036AEE094F76
SHA256:5B6359FC7B67CF6883D7BEE2F3FAD9A130572124EACFC849710104B30B5359D9
7488NoEscape8.0.exeC:\yourpc\melter.exeexecutable
MD5:D9BAAC374CC96E41C9F86C669E53F61C
SHA256:A1D883577BCB6C4F9DE47B06FE97C370C09BDDFFB6569B6CF93576371BDBC412
7488NoEscape8.0.exeC:\yourpc\Five.exeexecutable
MD5:DDF0E07D14AC7CDB283D608D20215670
SHA256:31B115363E8068E69F5B29C4FAE827A02A04BE34DCFAF9A4A1A858D67413F04B
7488NoEscape8.0.exeC:\yourpc\GlitchB.exeexecutable
MD5:F529213E9A27A9A4E3FA344CFF5E70E3
SHA256:8B3B3B3B2CCF787A7CA4672E717134D3BDF52E7C43D29737DB2BF8B1E820C0D1
7488NoEscape8.0.exeC:\yourpc\f.vbstext
MD5:A4ED5CEA72CB85933B97EF6FD4B95A27
SHA256:E41A70375F153C9B4600D178CF43C4411583454AF32C0D74FAB05FB950D581E0
7488NoEscape8.0.exeC:\yourpc\main.battext
MD5:D381FDBE8F6A130E25247FA1E029805B
SHA256:9ECA23B0358E5507734EF7A2247C310C7BE23C85776913C49947AFB41C885273
7488NoEscape8.0.exeC:\yourpc\RGB2.exeexecutable
MD5:FEA35D7263D27E46951403DC1EA49FB6
SHA256:2E4BD333C195C64478F1F64799212B5D9837F5D2EC315B15CC3712555B68A09C
7488NoEscape8.0.exeC:\yourpc\MouseDraw.exeexecutable
MD5:BE86C274800697354120D01C65F33258
SHA256:DFA46EFCC267F7C4FA18C9A3F1F0204FE3266CCEADFF2A8FFFB9D1A66312EA4D
7488NoEscape8.0.exeC:\yourpc\First.exeexecutable
MD5:B326CDA81E5711AED4C4DCA71E111C3E
SHA256:29297A0FF5B8B80CF5C96185AD6BD7A323DAC9749185C516363E84B6710627CE
7488NoEscape8.0.exeC:\yourpc\ColorA.exeexecutable
MD5:2990BD81B18D93ACDA8EDE7B79F71B31
SHA256:781F67D14A5EE5CF6508874DC47E4EC6C60B895C9893112272AEC44CCDCAFC51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NoEscape8.0.exe